Regional Image Perturbation Reduces $L_p$ Norms of Adversarial Examples While Maintaining Model-to-model Transferability

• URL: http://arxiv.org/abs/2007.03198v2
• Date: Sat, 18 Jul 2020 08:23:59 GMT
• Title: Regional Image Perturbation Reduces $L_p$ Norms of Adversarial Examples While Maintaining Model-to-model Transferability
• Authors: Utku Ozbulak, Jonathan Peck, Wesley De Neve, Bart Goossens, Yvan Saeys and Arnout Van Messem
• Abstract summary: We show that effective regional perturbations can be generated without resorting to complex methods. We develop a very simple regional adversarial perturbation attack method using cross-entropy sign. Our experiments on ImageNet with multiple models reveal that, on average, $76%$ of the generated adversarial examples maintain model-to-model transferability.
• Score: 3.578666449629947
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Regional adversarial attacks often rely on complicated methods for generating adversarial perturbations, making it hard to compare their efficacy against well-known attacks. In this study, we show that effective regional perturbations can be generated without resorting to complex methods. We develop a very simple regional adversarial perturbation attack method using cross-entropy sign, one of the most commonly used losses in adversarial machine learning. Our experiments on ImageNet with multiple models reveal that, on average, $76\%$ of the generated adversarial examples maintain model-to-model transferability when the perturbation is applied to local image regions. Depending on the selected region, these localized adversarial examples require significantly less $L_p$ norm distortion (for $p \in \{0, 2, \infty\}$) compared to their non-local counterparts. These localized attacks therefore have the potential to undermine defenses that claim robustness under the aforementioned norms.

Related papers

• VENOM: Text-driven Unrestricted Adversarial Example Generation with Diffusion Models [26.513728933354958]
  VENOM is the first framework for high-quality unrestricted adversarial examples generation through diffusion models. We introduce an adaptive adversarial guidance strategy with momentum, ensuring that the generated adversarial examples align with the distribution $p(x)$ of deceiving natural images.
  arXiv  Detail & Related papers  (2025-01-14T08:12:20Z)
• Boosting Adversarial Transferability by Achieving Flat Local Maxima [23.91315978193527]
  Recently, various adversarial attacks have emerged to boost adversarial transferability from different perspectives. In this work, we assume and empirically validate that adversarial examples at a flat local region tend to have good transferability. We propose an approximation optimization method to simplify the gradient update of the objective function.
  arXiv  Detail & Related papers  (2023-06-08T14:21:02Z)
• Improving Adversarial Robustness to Sensitivity and Invariance Attacks with Deep Metric Learning [80.21709045433096]
  A standard method in adversarial robustness assumes a framework to defend against samples crafted by minimally perturbing a sample. We use metric learning to frame adversarial regularization as an optimal transport problem. Our preliminary results indicate that regularizing over invariant perturbations in our framework improves both invariant and sensitivity defense.
  arXiv  Detail & Related papers  (2022-11-04T13:54:02Z)
• The Enemy of My Enemy is My Friend: Exploring Inverse Adversaries for Improving Adversarial Training [72.39526433794707]
  Adversarial training and its variants have been shown to be the most effective approaches to defend against adversarial examples. We propose a novel adversarial training scheme that encourages the model to produce similar outputs for an adversarial example and its inverse adversarial'' counterpart. Our training method achieves state-of-the-art robustness as well as natural accuracy.
  arXiv  Detail & Related papers  (2022-11-01T15:24:26Z)
• Frequency Domain Model Augmentation for Adversarial Attack [91.36850162147678]
  For black-box attacks, the gap between the substitute model and the victim model is usually large. We propose a novel spectrum simulation attack to craft more transferable adversarial examples against both normally trained and defense models.
  arXiv  Detail & Related papers  (2022-07-12T08:26:21Z)
• Latent Boundary-guided Adversarial Training [61.43040235982727]
  Adrial training is proved to be the most effective strategy that injects adversarial examples into model training. We propose a novel adversarial training framework called LAtent bounDary-guided aDvErsarial tRaining.
  arXiv  Detail & Related papers  (2022-06-08T07:40:55Z)
• Discriminator-Free Generative Adversarial Attack [87.71852388383242]
  Agenerative-based adversarial attacks can get rid of this limitation. ASymmetric Saliency-based Auto-Encoder (SSAE) generates the perturbations. The adversarial examples generated by SSAE not only make thewidely-used models collapse, but also achieves good visual quality.
  arXiv  Detail & Related papers  (2021-07-20T01:55:21Z)
• Generating Structured Adversarial Attacks Using Frank-Wolfe Method [7.84752424025677]
  Constraining adversarial search with different norms results in disparately structured adversarial examples. structured adversarial examples can be used for adversarial regularization of models to make models more robust or improve their performance on datasets which are structurally different.
  arXiv  Detail & Related papers  (2021-02-15T06:36:50Z)
• Detecting Localized Adversarial Examples: A Generic Approach using Critical Region Analysis [19.352676977713966]
  We propose a generic defense system called TaintRadar to accurately detect localized adversarial examples. Compared with existing defense solutions,TaintRadar can effectively capture sophisticated localized partial attacks. Comprehensive experiments have been conducted in both digital and physical worlds to verify the effectiveness and robustness of our defense.
  arXiv  Detail & Related papers  (2021-02-10T03:31:16Z)
• Adversarial Distributional Training for Robust Deep Learning [53.300984501078126]
  Adversarial training (AT) is among the most effective techniques to improve model robustness by augmenting training data with adversarial examples. Most existing AT methods adopt a specific attack to craft adversarial examples, leading to the unreliable robustness against other unseen attacks. In this paper, we introduce adversarial distributional training (ADT), a novel framework for learning robust models.
  arXiv  Detail & Related papers  (2020-02-14T12:36:59Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.